Two vulnerabilities exist in WordPad that could allow remote code
execution on an affected system. User interaction is required to
exploit these vulnerabilities.

Comments: Microsoft Rates is as Important. No problems with that one...

-->Microsoft Security Bulletin MS04-042
Two vulnerabilities exist in the DHCP Server service, of which the
most severe could allow remote code execution on an affected system.
The DHCP Server service is not installed by default. Only the DHCP
Server service on Windows NT 4.0 Server is affected.

Comments: Microsoft Rates is as Important. Disagree. Ok, it will only
affect NT 4.0, but I do believe that there is a lot of NT 4.0 running
dhcp servers on companies...

-->Microsoft Security Bulletin MS04-043
A vulnerability exists in HyperTerminal that could allow remote code
execution on an affected system. User interaction is required to
exploit this vulnerability.

Comments: Microsoft Rates is as Important. No problems with that one...

-->Microsoft Security Bulletin MS04-044
Two vulnerabilities exist in the Windows Kernel and the Local Security
Authority Subsystem Service (LSASS) that could allow privilege
elevation on an affected system. An attacker must have valid logon
credentials and be able to log on locally to exploit this
vulnerability.

Comments: Microsoft Rates is as Important. LSASS again...elevation of
privilege...No problems with that one...

-->Microsoft Security Bulletin MS04-045
Two vulnerabilities exist in Windows Internet Naming Service (WINS)
that could allow remote code execution on an affected system. The WINS
Server service is not installed by default.

Comments: Microsoft rates is as Important. This is the issue with
WINS...we are seeing some spikes on port 42 probes on our reports...remember to apply the patches...

Below is a simple malware analysis of a password stealer. This is becoming really common these days on Brazil. The miscreants are sending phishings of Brazilian Postcards websites and delivering thousands of them on users mailboxes.
This one came to mine as a warning "Your partner is cheating you, see the pictures below!"...This simple analysis was done with the free tools available for Linux and Windows.

On Linux: Strings, UPX, Unrar

On Windows: Sysinternals tool / ZoneAlarm Free

Introduction:

A suspicious file was received on Nov 30 though a spam mail with a subject of ´Your partner is cheating you - see the pictures!' (in portuguese).
Sending it to VirusTotal, showed that none of the 13 AV vendors were recognizing it as a malware.

So, I decided to analyze it to see what I could find on that one.
The purpose of this analysis is to show how you can use simple unix/linux tools to make a basic analysis.

#####################

Phase 1: The Binary

#####################<Br>
<Br>
Binary: fotos.sfx.exe

#strings -a:

-------------SNIP!------------------------<Br>
This program must be run under Win32

UPX0

UPX1

.rsrc

1.20

UPX!

W!jfVB!

-------------SNIP!------------------------<Br>

The first lines show interesting information: UPX.
UPX is a very common Packer used to compact the PE´s.
You can use UPX to pack and unpack files.

#upx -d fotos.sfx.exe -o fotos.sfx.unp.exe

#strings -a fotos.sfx.unp.exe -e -l |more

-------------SNIP!------------------------

No to A&ll

&Cancel

WinRAR self-extracting archive

-------------SNIP!------------------------

--> So, it is compressed with WinRAR
To decompress you can use Unrar:

$ unrar x -v fotos.sfx.unp.exe

-------------SNIP!------------------------

UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal

Extracting from fotos.sfx.unp.exe

Unknown method in fotos.exe

Skipping fotos.exe

No files to extract

-------------SNIP!------------------------

--> One problem...Version 2.71 does not support sfx scripts

SFX = Self eXtracting Files

So, I had to upgraded to 3.40

# ./unrar x -v ../fotos.sfx.unp.exe

-------------SNIP!------------------------

UNRAR 3.41 freeware Copyright (c) 1993-2004 Alexander Roshal

Extracting from ../fotos.sfx.unp.exe

;The comment below contains SFX script commands

Path=C:\Windows\system32

SavePath

Setup=fotos.exe

Silent=2 (Hide start dialog)

Overwrite=2 (skip existing files)

Extracting fotos.exe OK

All OK

-------------SNIP!------------------------

About the comments above, those are parameters that you set when creating RAR files with sfx.In this case:

That means that our process fotos.exe, used the method createKey() to create a new key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run, also the method setValue() to create the values of the name and value of the new key, like the value "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe" at HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos

Winsock...interesting. We knew that this application would try to use the network resources and this confirmed...

So, lets try to browse to any of those banks websites...

Navigating to one of those bank websites using IE was kind of funny...

I dont know if it was because of the IE google bar, but The real website loaded almost perfectly, except because there was another pair of branch and account overlapping the real one...

Putting fake data on the fields or just not putting anything at all, and pressing OK, made it open another window, requesting more data, more passwords and personal information. After filling everything with some ´good data´ and pressing ok,
my ZoneAlarm came out with an alert:

-------------SNIP!------------------------

Do you want to allow fotos.exe to access the internet?

Technical Information

Destination IP: xx.xx.80.21:SMTP

Application: fotos.exe

-------------SNIP!------------------------

hummm...so that?s the why we had this IP address on that list...SMTP, email addresses...now it is starting to make sense...:)

But the xx.xx.80.21 resolves to a hosting providers...not any of the emails domains that we found...Maybe an Open relay??

#####################

Phase 3: Results

#####################

So, thats what we got so far:

- It will create a key with the name and value of HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos , "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"

- It will use Winsock for network resources

- It will put create fake fields for passwords, account, branch and some personal information, overlapping the real fields of the bank websites

- It will try to access an smtp server at the IP that we found some steps ago...

For now on, we should think about this application much like as a Spyware. As we could notice, this application uses Winsock. There is a lot of advantages to hook itself to WinSock. In Microsoft Windows Operating Systems, Winsock is the way that it implements TCP/IP. This is wonderful of the hacker, because in this way his/hers application will be able to monitor all Internet traffic! And thats exactly what he wants! He wants to know when you will access the Banks websites!

############################

Phase 4: Final experiments

############################

So, lets setup a mail server and see what this application is trying to send to that IP.

On another machine in the same lab network, I brought up a virtual interface with the same IP address of machine that ZoneAlarm detected, and repeated the steps of phase 2, visiting the websites and filling the fake forms. After pressing the last OK, ZoneAlarm alerted me again, and this time I Allowed it to connect to the port 25 of the IP address.

My mail server made all the transaction, which was reproduced bellow with the help of another friend, Ethereal: